NIS directive consultation

08th August 2017

Operators of essential services such as utilities, hospitals and the railways will be expected to meet new rules on network security – including reporting breaches within 72 hours – months before sector-specific guidance is issued by Government, according to a consultation document.

The UK Government is consulting on how to bring in the Security of Network and Information Systems (NIS) directive. It has much in common with the GDPR (general data protection regulation), besides the deadline of May 2018; penalties for serious breaches and losses of services, for failure to set ‘appropriate and proportionate security measures’, are 20m euros or 4pc of offender’s turnover.

The European Commission, with member states, have agreed the NIS with the aim of increasing the security of Network and Information Systems (NIS) in the European Union (EU).

As with the GDPR, though the UK voted for Brexit in 2016, the Westminster Government says that it supports the aims of the NIS Directive.

It’s to cover UK ‘operators in essential services’ (OESs for short) such as electricity, ports, airports and train operators, water, oil refiners, NHS trusts and digital infrastructure and what the Government admits are the increasing numbers of cyber threats. Also covered are other threats affecting IT, such as power failures, hardware failures and environmental hazards. The consultation by the Department for Digital, Culture, Media and Sport (DCMS) closes on September 30. Visit https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive. Covered are what the technical security measures ought to be, to manage the risks; incident reporting of anything that has an ‘actual adverse effect’ on systems; and what the penalty regime ought to be.

While the document admits that having to report may be a burden on businesses, incidents for reporting are computer viruses and malware, and anything else that leads to a loss or reduction in an essential service. The Government also wants to encourage voluntary reporting of incidents where operators had to act to keep services going. What the thresholds for reporting will be will differ by sector and have to be worked out. As for how fast you are supposed to report an incident, the directive does not specify; and while the consultation document likewise only asks for ‘the earliest opportunity’, as an incident may spread, it does also set 72 hours (after ‘becoming aware of an incident’) as a maximum.

The Government proposes what it calls a ‘guidance and principles based’ approach; the official National Cyber Security Centre (NCSC) will set out principles, and the guidance, working with relevant Government departments and ‘competent authorities’. As for a timetable, the Government says that in January the NCSC is to publish generic cross-sector security guidance, including a cyber assessment framework; the directive should become law (like the GDPR) in May 2018; and detailed, sector-specific guidance should come by November 2018. Promised in the guidance is what ‘good’ looks like; and minimum security requirements.

Proposed principles set out briefly in the document cover governance, risk management, asset management and risks to the supply chain, including contractors.

The consultation document also says the NIS directive applies, ‘in a lighter touch manner’, to digital service providers (DSPs) such as online marketplaces and search engines, and cloud storage services. These should do whatever’s appropriate to manage risks, for incident handling, business continuity, and monitoring and audit. Again, a ‘guidance and principles based’ approach is proposed, in line with the GDPR, and the European Union’s ENISA agency for network and information security.

As an aside, ENISA’s European Energy – Information Sharing and Analysis Centre (EE-ISAC) is running a seminar for the energy sector at its Athens base on September 7.

Comments

Justin Coker, Vice President EMEA at Skybox Security, a cybersecurity and firewall management software company, says: “The consultation is welcome on NIS because, to comply, many organisations will need to review their own systems to keep pace with its requirements. The Government is saying severe fines will be levied unless an organisation can prove it assessed the risks adequately. But, too often there is no visibility of where the threats and vulnerabilities are. The attack surface is now more complex than ever, so organisations need to move away from traditional thinking and develop a clear picture of the long-term security goals, and plan the security program in a structured and logical way.

“Protecting and securing critical digital national infrastructure presents a real challenge because end-to-end access analysis must be done across hybrid IT and operational technology networks. To do this, organisations must obtain accurate visibility of the assets, security controls, policies and any potential vulnerabilities – the attack surface. They need to know when their security has been compromised and redress attack vectors before they can be exploited. Furthermore, security teams need a tool that which gives them a context-aware representation of the attack surface so they can ensure teams focus and prioritise the risks that are truly critical to the organisation.”

And Ross Brewer, VP and MD EMEA at threat analytics software company LogRhythm said: “As we saw with WannaCry recently, the consequences of an attack on our critical national infrastructure are unthinkable. Cybercrime is no longer a game involving hackers manipulating people and computer systems to get their hands on valuable data or money. The stakes are now much higher, with criminals proving they are capable of disrupting services that can effectively cripple an economy, a country’s stability and, worryingly, our lives.

“This initiative is a bold, but much needed step in the fight against cybercrime. With fines as high as those that will be implemented under GDPR, businesses that manage our critical infrastructure will suffer significantly should they fail to implement an effective security strategy with the right people, technology and processes. One weak link in our critical national infrastructure makes us a very vulnerable country.

“If they haven’t already, organisations need to sit up and realise that hackers are motivated and persistent and will do everything and anything to successfully access – and cripple – our networks. Organisations relying heavily on prevention need to realise that this is no longer enough and that they need to invest in the right monitoring, detection and response technologies to help them effectively manage today’s sophisticated threats. As attacks on our infrastructure become more commonplace, businesses need to take these government proposals seriously. The fines are high, and are a reflection of how dangerous today’s cyber criminals are and the threat they pose to our country. Unlike traditional warfare, cyber-attacks are ‘invisible’ and often easy to forget until you become a victim, and they have the potential to be far more catastrophic. To avoid these fines and ensure their services are protected from modern-day and future threats, businesses must have intelligence that gives them deep, consistent visibility across their entire network so hackers can be stopped.”